Threat Brief:

Vice Society
The #1 threat to schools, colleges, and universities

May 2023
 2
Threat Brief: Vice Society

In the last 12 months, the Vice Society ransomware gang has conducted more attacks against education targets globally,
and in the USA and the UK individually, than any other ransomware group.

Ransomware attacks against education cause misery and disruption, have delayed exams and cancelled school days,
destroy data, violate data privacy norms and laws, and require expensive, time-consuming recovery efforts.

Vice Society

Other

LockBit

ALPHV

BianLian

AvosLocker
Royal
0 10 20 30 40 50

Figure 1: Known attacks on education targets ordered by ransomware gang, April 2022-March 2023
 3
Threat Brief: Vice Society

In September 2022, Vice Society attacked

the Los Angeles Unified School District
(LAUSD), the second largest school
district in the USA with 640,000 students.
After LAUSD refused to pay a ransom,
Vice Society leaked a reported 500GB
of data, including information marked
“Secret” and “Confidential,” on the dark
web.

In the same month, it left the Scholar’s

Education Trust, a multi-academy trust
that operates six UK schools, without
access to its computer systems. A few
days later a similarly disruptive attack
Figure 2: LAUSD data leaked on the dark web
on UK’s prestigious Pate’s Grammar
School led to sensitive and confidential
information, including passport scans,
being leaked online.
 4
Threat Brief: Vice Society

Between April 2022 and March 2023, 39% of known Vice Society attacks hit education, compared to an average of 4%
across all the other ransomware gangs tracked by Malwarebytes.

In the USA, Vice Society has been the most prolific among a number of groups actively attacking education in the last 12
months, while in the UK it accounted for a staggering 70% of all attacks on the sector.

Education

Services

Healthcare

Government

Logistics
Figure 3: Distribution
Retail of known ransomware
attacks by industry
Technology
sector, April
Wholesale 2022-March 2023

Manufacturing

IT Services

Other
Construction

0% 10% 20% 30% 40%

Vice Society   Other ransomware

 5
Threat Brief: Vice Society

Vice Society’s targeting of education is
undoubtedly deliberate and has likely
allowed the gang to develop domain-
specific techniques and expertise.
According to CISA, “School districts with
limited cybersecurity capabilities and
constrained resources are often the most
vulnerable; however, the opportunistic
targeting … can still put school districts
with robust cybersecurity programs at
risk.”
A Vice Society attack is not directed
at an individual computer but uses
encryption and data theft to compromise
an entire organisation. To achieve
this, attackers may work for several
days, or even weeks, inside a
victims’ network before running their
ransomware.

Vice Society  
4
BianLian
Hive
Medusa
3
AvosLocker
Royal
2
LockBit

0
April 2022 May 2022 June 2022 August 2022 Sept 2022 Oct 2022 Nov 2022 Dec 2022 Jan 2023 Feb 2023 March 2023

Figure 4: Known attacks against UK education targets, April 2022-March 2023

 6
Threat Brief: Vice Society

After a successful attack, Vice Society

demands a ransom in return for deleting
stolen data and providing a decryption
tool. Ransom demands are reported to
have exceeded $1 million. (The average
ransom payment across all ransomware
gangs in Q4 2022 was $410,000.)

Victims’ details and stolen data are listed

on the gang’s dark web website, which
has adopted branding from the computer
game Grand Theft Auto (GTA).

Unlike some of its competitors, Vice

Society is not a ransomware-as-a-service
(RaaS) vendor. It doesn’t produce its
own ransomware, nor does it use other Figure 5: Vice Society has adopted GTA branding for its website
criminal gangs—”affiliates”—to carry out
attacks.

Threat Brief: Vice Society
PROTECTING AGAINST A VICE SOCIETY ATTACK
Because Vice Society may be active on
your network for days before running a
ransomware locker, it is not enough to
simply stop the locker. By the time it’s run,
its operators will already have stolen your
data, taken steps to cover their tracks,
and will have sufficient access to your
network to retry their attack.
If Vice Society members gain access to
your network they must be discovered
and ejected, and their tools, accounts,
and backdoors removed.
Vice Society likes to “live off the land,”
using legitimate tools like PowerShell
and the Windows Management
Instrumentation (WMI) service to disguise
its activity. Detecting this activity is a
difficult task for any organization. It
requires excellent experienced security
professionals with an eye for out-of-place
details watching the network’s Endpoint
Detection and Response (EDR) monitoring
24/7. For resource-constrained schools,
the only cost-effective way to access
this kind of skillset is through a third-
party service like Malwarebytes Managed
Detection and Response (MDR).
7
ATTACK PHASES PROTECTION
Assets
Use Vulnerability and Patch Management to identify
Software vulnerabilities
and prioritize vulnerabilities.
Use two-factor authentication on Internet-facing
Compromised accounts
accounts.
Infiltration and theft
Privilege escalation, may involve print Use MDR to identify attackers as they operate inside
spooler exploits or credential dumping. your network, before they launch ransomware.
Discovery, may involve the use of Advanced
Port Scanner and Bloodhound.
Lateral movement, may utilize PsExec or RDP.
Data theft, may be accomplished with PsExec
or PowerShell.
Backdoors, may involve SystemBC or
proprietary solutions.
Encryption
Vice Society has used Hello Kitty and Zeppelin
Use EDR to detect ransomware, identify surreptitious
encryption, and roll back affected files to an
ransomware but may use other types in future.
unencrypted state.
Reinfection
Use EDR or MDR to identify initial access, compromised
Even if its ransomware is stopped, Vice
Society has not lost access to your network.
accounts, tools, and backdoors to remove Vice Society
operators and prevent another attack.
Managed Detection and Response
Malwarebytes Managed Detection and Response (MDR) helps schools, businesses, MSPs, and other
organizations to stop cyberattacks before they happen, utilizing a team of experienced analysts
to detect, investigate, remediate, and hunt for threats. Powering MDR is the company’s Endpoint
Detection and Response (EDR), which includes Endpoint Protection (EP) and ransomware anomaly
detection that stopped 100% of ransomware threats in third-party testing. A 24/7 cybersecurity

TRY MDR NOW >

malwarebytes.com/business corporate-sales@malwarebytes.com 1.800.520.2796

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Much more than malware remediations, the
company provides cyberprotection, privacy, and prevention to tens of thousands of consumers and organizations every day. For more information,
visit https://www.malwarebytes.com.
Copyright © 2023, Malwarebytes. All rights reserved. Malwarebytes and the Malwarebytes logo are trademarks of Malwarebytes. Other marks and brands may be claimed as the property of others.
All descriptions and specifications herein are subject to change without notice and are provided without warranty of any kind. 05/2023